Your message dated Sat, 27 Jul 2019 23:47:40 +0000 with message-id <e1hrwpc-000icm...@fasolo.debian.org> and subject line Bug#932401: fixed in patch 2.7.5-1+deb9u2 has caused the Debian Bug report #932401, regarding patch: CVE-2019-13636 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 932401: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=932401 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: patch Version: 2.7.6-3 Severity: important Tags: security upstream Control: found -1 2.7.6-4 Hi, The following vulnerability was published for patch. CVE-2019-13636[0]: | In GNU patch through 2.7.6, the following of symlinks is mishandled in | certain cases other than input files. This affects inp.c and util.c. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-13636 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13636 [1] https://git.savannah.gnu.org/cgit/patch.git/commit/?id=dce4683cbbe107a95f1f0d45fabc304acfb5d71a Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: patch Source-Version: 2.7.5-1+deb9u2 We believe that the bug you reported is fixed in the latest version of patch, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 932...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Laszlo Boszormenyi (GCS) <g...@debian.org> (supplier of updated patch package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Fri, 26 Jul 2019 10:58:06 +0000 Source: patch Binary: patch Architecture: source amd64 Version: 2.7.5-1+deb9u2 Distribution: stretch-security Urgency: high Maintainer: Laszlo Boszormenyi (GCS) <g...@debian.org> Changed-By: Laszlo Boszormenyi (GCS) <g...@debian.org> Description: patch - Apply a diff file to an original Closes: 932401 933140 Changes: patch (2.7.5-1+deb9u2) stretch-security; urgency=high . * Fix CVE-2019-13636: mishandled following of symlinks (closes: #932401). * Fix CVE-2019-13638: shell command injection. * Fix CVE-2018-1000156 regression, temporary file leak on failed ed-style patches (closes: #933140). Checksums-Sha1: 780d06fb5b039ea0008c26bc6cf74f0b9ff3ba1f 1840 patch_2.7.5-1+deb9u2.dsc 4a5a98c6bed0e59d4eb65f93753d5b3610b7dd04 13036 patch_2.7.5-1+deb9u2.debian.tar.xz f99e4ef2e9c893f124b1c0ce283f15b1bea8aaa6 169442 patch-dbgsym_2.7.5-1+deb9u2_amd64.deb 96660f89c43c1078d3c3686cc36c27257204295b 6353 patch_2.7.5-1+deb9u2_amd64.buildinfo cc171370eeb476c078548f7cea7c08d417ebaff4 111794 patch_2.7.5-1+deb9u2_amd64.deb Checksums-Sha256: 3e6b3452b6a658b5762b198a94f1ac5af6bb687f90e5749a7f5af12364ffa269 1840 patch_2.7.5-1+deb9u2.dsc c094ca6eabeb6c7fe3ea964bd242a2f018c5e2ce5b82cc4e977b37e214109c6e 13036 patch_2.7.5-1+deb9u2.debian.tar.xz 4f3c47adbee6e2f0d9c4c5f3eb2ccc9218be7ea20c4a9989e7758293e6a2d28b 169442 patch-dbgsym_2.7.5-1+deb9u2_amd64.deb 4c5aeb7c9c8d0d1a33a861ef9a17242861d1c290ca0750691ec41723d7c3f7b2 6353 patch_2.7.5-1+deb9u2_amd64.buildinfo 62d885ef16e7a39813ba1736d6e8100d2d4e4d8334f170cce060683733a0be26 111794 patch_2.7.5-1+deb9u2_amd64.deb Files: 7e2af2d4fa2b8cce890ef6c264743cad 1840 vcs standard patch_2.7.5-1+deb9u2.dsc c0e5dff4659705a0317a88541d7d3365 13036 vcs standard patch_2.7.5-1+deb9u2.debian.tar.xz 933bf2b40d706001f9e6eba68b34bc42 169442 debug extra patch-dbgsym_2.7.5-1+deb9u2_amd64.deb ccf2214769b348d4c4fd5369ebbe2445 6353 vcs standard patch_2.7.5-1+deb9u2_amd64.buildinfo 26fcb68f4e81fea87d664dc95fef7b0e 111794 vcs standard patch_2.7.5-1+deb9u2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfYh9yLp7u6e4NeO63OMQ54ZMyL8FAl08Tu8ACgkQ3OMQ54ZM yL+QCw//VhUKDkHiQejWYYO2aOq0D5ZH8nMnV7M5xw19Kms3MwofJGG5W0DDIYYs NiFQgbZW9HrQxpva0R1yJeMXaHHrFyL3F+XaERS+vUuuUGL1DpqH5wO5w0cizImk QEKS0V/WLyishqCOSUuCPgrLDNytME3CeaggKj/QJl2QT6Xniv1+WzmNVZAhrf6b CsdfWF3g3qMlAE/cbToxCq7LkXNdpctdxd6LYDZvvlz2FEHgxMCdObNlsmdoTKS1 jC157K8zFe4cFGfWJTopmhugPy90LFijyk6Q5aidyvNfA+BZNzdwD9OaGArpI37q TNIBTbhg1umJHR9IHYgdcACN+Xmpx6YzKyKdpGh+xJlcpt+qUk0kT+SCczkm6IS4 AHWtUHHf6kGN0YvJkYX7RXfO096KY9pAferRICypnXjgeEL/Q7sTNbeM/Iz7qdpw ZvVWRDtoEIMBJHKW0+IQhTcBolKaoMhgLPuDCOc1/iTJJyrdo5dkD5GyTwWAdp7l fuSfeUyxi8aIXmjo3ZwU6Inoi4nETiqSN1a2f+Xm1aoyjjmCN6KTtPmGL45mmJ3R FnBiAMp9xT+mb8iq4w0HpDVQzVejHFAk2DzovGxUN8iCfsBG9+DkzkVyZXLQCHAm 0LuuuzxyhH1xRs6ebx2Fp4TGuDMvQ9VmMxX2uYf6ZL0Wla6AbIQ= =iQw0 -----END PGP SIGNATURE-----
--- End Message ---
